Yes, the logon account is the same and it doesn't exist in our company.

By "limiting the number of auth attempts" I mean this - if somebody is trying the same username with different passwords every time, I want to block that IP address after the certain amount (let's say three or five) of failed attempts.